HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent.

Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented.

When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.”

He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better. Money is being thrown at the problem, but the problem is not being effectively tackled. If healthcare organizations fail to get the basics right, they leave gaping holes in their security defenses that can all too easily be exploited by hackers.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Augenbaum’s keynote speech, titled “The Health Information Executive’s Guide to Cybersecurity”, was intended to raise awareness of the problem and explain the seriousness of the current threat level. In the address, Augenbaum pointed out that foreign government-backed hackers pose a serious problem for the healthcare industry. Furthermore, the situation is likely to get a lot worse.

While foreign entities have not previously been interested in healthcare data, the situation today is very different. Augenbaum explained that part of China’s plan is for the country to become a world leader in healthcare innovation by 2020, yet the Chinese government wants to do this without committing funds to research. Instead, the focus is attacking healthcare organizations in the United States to gain access to healthcare information systems. According to Augenbaum, Russia, Nigeria, and other foreign countries are also using hackers to target U.S healthcare providers.

It is not only foreign governments that are keen to obtain healthcare data. Independent hackers from home and abroad are attempting to hold the healthcare industry to ransom by infiltrating their networks and stealing their data.If cybersecurity defenses are not improved, attacks are not only likely to continue, the situation is likely to get considerably worse.

One of the best places to start is with basic cyber-hygiene. Augenbaum suggested focusing on five key areas of basic cybersecurity – as detailed in the Sans Institute’s CIS Critical Security Controls for Effective Cyber Defense. (Details on this link). By following these guidelines, Augenbaum says it is possible to prevent 90% of healthcare data breaches.

These are:

  • Create an inventory of authorized and unauthorized devices
  • Create an inventory of authorized and unauthorized software
  • Ensure secure configurations for hardware and software on all devices (PCs, laptops, mobiles, tablets, servers, and IoT devices)
  • Ensure continuous vulnerability assessments are performed and vulnerabilities are remediated promptly
  • Ensure administrative privileges are controlled

Augenbaum also explained that many organizations have still not appointed a dedicated person to look after cybersecurity strategy at the highest level. The task is often given to people low down the chain who typically lack the relevant experience or understanding.

It was also explained that healthcare leaders need to build comprehensive IT security strategies. Augenbaum pointed out this is not a quick process.  “It takes a full three to five years to implement a comprehensive IT security strategy. People simply don’t understand this.” It is therefore essential that process starts now.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.